The present invention relates to the field of data communications, and more particularly to a virtual private network with multiple tunnels associated with a group of users where the server node in the virtual private network has a single tunnel definition and a single security policy for the multiple tunnels associated with the group.
Security is a significant concern in the communication between computer networks over a public network, e.g., institutional intranets and Internet. Public networks provide the capability for a large number of diverse users to establish communication links between each other. A series of servers and switching systems route packets of data between various users based upon addresses using communication protocols such as TCP/IP. Unfortunately, packets of data move between senders and recipients through various pathways that are unsecured, i.e., third parties may gain access to data sent between authorized senders and recipients.
One solution to secure the transfer of data between senders and recipients over a public network is through a virtual private network. A virtual private network (VPN) is an extension of an enterprise""s private intranet across a public network such as the Internet, creating a secure private connection, commonly referred as a xe2x80x9ctunnel.xe2x80x9d For example, virtual private networks may be established between an enterprise""s private intranet and remote users, branch offices or business partners. The secure private connection, i.e., tunnel, is established between sites, commonly referred to as xe2x80x9cnodes.xe2x80x9d Once the tunnel is established, data may be transmitted between nodes without the risk of interception by unauthorized users through the use of encryption, e.g., preshared keys, public keys. A preshared key is a value that is used to authenticate the nodes of a tunnel. That is, the sane preshared key must be possessed by the two nodes in order to create a tunnel between the nodes.
A virtual private network may be configured by having one node designated as the server node and a plurality of nodes designated as client nodes. Each client node is connected to the server node establishing a plurality of tunnels between the client nodes and the server node. A tunnel definition defines the end points of a tunnel thereby establishing a tunnel. A security policy describes the characteristics of protection for the transfer of information between the nodes defining the tunnel. In prior art virtual private networks, VPN""s create a security policy and a tunnel definition in the server node for each of the plurality of tunnels connected to the server node thereby resulting in a large number of security policies to be created and maintained for the many users of resources on a network.
It would therefore be desirable to develop a virtual private network where the server node has one security policy and one tunnel definition associated with a plurality of tunnels where the plurality of tunnels are associated with a group, i.e., group of users. It would further be desirable to allow the users to be identified by any specified name. It would further be desirable to allow a non-contiguous set of ID types to be defined as a group.
The problems outlined above may at least in part be solved in some embodiments by configuring a group database in the server node where the group database comprises a group name and a list of members associated with the group name. Furthermore, a rules database in the server node is configured. The rules database associates the group name with a particular security policy. The server node then has a single security policy for each of the plurality of tunnels associated with the group name. Furthermore, a tunnel definition database in the server node is configured. In the tunnel definition database, the remote ID is defined as the group name. The server node then has a single tunnel definition for each of the plurality of tunnels associated with the group name.
In one embodiment, a method for allowing a server node in a virtual private network to have a single tunnel definition and a single security policy for a plurality of tunnels associated with a group name comprises the step of configuring a group database in the server node. The group database comprises the group name and a list of members associated with the group name. The method further comprises configuring a rules database in the server node. The rules database associates the group name with a particular security policy. The method further comprises configuring a tunnel definition database in the server node. In the tunnel definition database, the remote ID is defined as the group name.
In another embodiment of the present invention, the list of members associated with the group name comprises a non-contiguous list of ID types, e.g., Internet Key Exchange (IKE) defined ID types such as Internet Protocol addresses, User@ Fully Qualified Domain Name (FQDN), FQDN, and X.500 Distinguished Name. In another embodiment of the present invention, the members associated with the group name are identified by any specified name.
The foregoing has outlined rather broadly the features and technical advantages of the present invention in order that the detailed description of the invention that follows may be better understood. Additional features and advantages of the invention will be described hereinafter which form the subject of the claims of the invention.